Serverless-application-model: AWS::Serverless::Function policies are ignored

You should only include the Policy Statement ({Statement: {...}}). For inline policies SAM looks for an object with Statement key in it. If it isn't found it ignores the object.

I don't like this experience where some policies are ignored. We should change this to fail fast so you know what's wrong.

Sent from my iPhone

On Dec 7, 2017, at 12:36 AM, Christian Johansen <[email protected]notifications@github.com> wrote:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'

Resources:
LogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: /aws/lambda/cfs-termination
RetentionInDays: 7
StackTermination:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: TerminateOverdueStacks
MemorySize: 128
Description: Terminate CloudFormation Stacks that have the DeleteAfter tag
Handler: index.handler
Runtime: nodejs6.10
Timeout: 10
Policies:
- PolicyName: LambdaListAndTerminateStacks
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cloudformation:DescribeStacks'
- 'cloudformation:DeleteStack'
- 'cloudformation:ListExports'
- 'iam:PassRole'
Resource:
- '*'
Events:
CfsTermination:
Type: Schedule
Properties:
Schedule: rate(30 minutes)

This template applies without issue. However, the resulting role only has the AWSBasicLambdaExection managed policy. My inline policy does not trigger an error, yet is still seemingly ignored. Am I doing something wrong?

-
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/awslabs/serverless-application-model/issues/224, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AVs489HwcwpZ51F0uPykzlbYY6v4V_Q6ks5s9rQmgaJpZM4Q4Gep.

Yes, that solved it. Thanks!

I strongly agree that instead of noop-ing the faulty configuration, it really should fail hard.

I see that I have gotten "policy" and "policy document" mixed up. I guess the main reason for this is that AWS::Serverless::Function uses Policies as a collection of policy documents, whereas AWS::IAM::Role uses Policies for a list of policies... This is confusing, and I would've preferred a different name for the function property, e.g. PolicyDocuments, to make it clear it is indeed something different.

Dupe of #172

@cjohansen
I wonder what the working version of your policy statement is if you could provide an example. Thanks

@sanathkr
I wonder if there is an example / doc of how to write inline policy. thanks
I came from
https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction

is it that only the statement part is needed?

EDIT: After trial and error, I found out that only the statement part from iam-managedPolicy is needed
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

@Jun711

Resources:
  SomeFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      FunctionName: SomeFunction
      MemorySize: 128
      Handler: index.handler
      Runtime: nodejs6.10
      Timeout: 20
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - 'cloudformation:DescribeStacks'
                - 'cloudformation:DescribeStackResources'
                - 'cloudformation:CancelUpdateStack'
                - 'iam:PassRole'
              Resource:
                - '*'